From 5b352c5d40f052e946fa6d4c82210ad3ede59fca Mon Sep 17 00:00:00 2001 From: Kyle Squizzato Date: Fri, 18 Oct 2024 13:53:11 -0700 Subject: [PATCH] Add access checks prior to checking our PRs Ensure only users with write permissions can run CI Signed-off-by: Kyle Squizzato --- .github/workflows/build_test.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index 526780723..fd61eaa73 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -12,6 +12,7 @@ on: paths-ignore: - 'config/**' - '**.md' + - '.github/**' push: tags: - '*' @@ -32,6 +33,22 @@ jobs: clustername: ${{ steps.vars.outputs.clustername }} pr: ${{ steps.pr.outputs.result }} steps: + - name: Get User Permissions + id: checkAccess + uses: actions-cool/check-user-permission@v2 + with: + require: write + username: ${{ github.triggering_actor }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Check User Permissions + if: steps.checkAccess.outputs.require-result == 'false' + run: | + echo "${{ github.triggering_actor }} does not have permissions on this repo." + echo "Current permission level: ${{ steps.checkAccess.outputs.user-permission }}" + echo "Job originally triggered by: ${{ github.actor }}" + echo "This job must be triggered by a user with proper permissions, if you have opened a PR and lack permissions please ask a repo collaborator to re-run this job on your behalf." + exit 1 - name: Get PR ref uses: actions/github-script@v6 id: pr